Zappos Says Hackers Accessed 24 Million Customers' Account Details

Twenty-four million Zappos customers are getting an unpleasant Sunday-evening surprise.

The Amazon-owned e-commerce firm has revealed that it was the target of a cyber attack that gained access to its internal network, including the accounts of 24 million of its users. Though the company says that no complete credit card numbers were revealed in the breach, the intruders may have accessed customers' names, e-mail addresses, phone numbers, addresses, the last four digits of their credit card numbers, and encrypted passwords. Zappos says it's taken the precaution of resetting the passwords of all its customers and directing them to set a new password upon visiting the site.

"We were recently the victim of a cyber attack by a criminal who gained access to parts of our internal network and systems through one of our servers in Kentucky," chief executive Tony Hsieh wrote to Zappos employees in an email posted to the site, declining to offer more information about the breach. "We are cooperating with law enforcement to undergo an exhaustive investigation."

Even after choosing a new Zappos password, users should be careful to also change their passwords on any site where they've used a similar or identical password, in case Zappos' intruders are able to decrypt the scrambled passwords they've stolen. Zappos is also warning affected customers to watch out for phishing emails that will use their stolen email addresses to spoof official Zappos emails and ask for account credentials or financial details.

Hsieh wrote in his all-hands email that every employee at Zappos' Henderson, Nevada headquarters will be assisting in the customer response to the breach, and that the company will only be responding to emails rather than phone calls in its effort to answer the massive number of queries that it expects to receive. "We've spent over 12 years building our reputation, brand, and trust with our customers. It's painful to see us take so many steps back due to a single incident," he wrote in the email. "I suppose the one saving grace is that the database that stores our customers' critical credit card and other payment data was not affected or accessed."